David Reid wrote: > Joe Orton wrote: > >>On Sat, Sep 10, 2005 at 02:47:17AM +0100, David Reid wrote: >> >> >>>Following patch makes some changes to ssl_ext_lookup and changes it's >>>API, hence the post for review. >>> >>>Add some more warnings when things don't go as advertised. >> >> >>I don't think it's appropriate to log warnings (at least at >>APLOG_WARNING level) from a function like this - only the caller knows >>whether or not failures require user-visibile warnings or not. > > > OK. I think it makes sense to log them at some level though as otherwise > there is no indication what's wrong. When testing these caught me out > for a while, hence my additions. Maybe INFO would be a better level to > log at? > > >> >>>We now allow the "known" names to be used as extensions to lookup >>>expanding the flexability of the function. >>> >>>Add an index to allow repeated calls to get different values to handle >>>the case when the same extension is present multiple times (there is no >>>restriction how often they can appear I'm aware of). >> >> >>Use of the index seems fine though this is starting to overlap in >>functionality with the ssl_extlist_by_oid function? > > > Hmm, maybe. Maybe ssl_extlist could just call ssl_ext_lookup?
Like this possibly... Index: modules/ssl/ssl_expr_eval.c =================================================================== --- modules/ssl/ssl_expr_eval.c (revision 279892) +++ modules/ssl/ssl_expr_eval.c (working copy) @@ -200,55 +200,24 @@ #define NUM_OID_ELTS 8 /* start with 8 oid slots, resize when needed */ -apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr) +apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *extname) { - int count = 0, j; - X509 *xs = NULL; - ASN1_OBJECT *oid; + int count = 0, j, n = 0, len = 0; apr_array_header_t *val_array; - SSLConnRec *sslconn = myConnConfig(r->connection); + const char *val = NULL; /* trivia */ - if (oidstr == NULL || sslconn == NULL || sslconn->ssl == NULL) + if (extname == NULL) return NULL; - /* Determine the oid we are looking for */ - if ((oid = OBJ_txt2obj(oidstr, 1)) == NULL) { - ERR_clear_error(); - return NULL; - } - - /* are there any extensions in the cert? */ - if ((xs = SSL_get_peer_certificate(sslconn->ssl)) == NULL || - (count = X509_get_ext_count(xs)) == 0) { - return NULL; - } - val_array = apr_array_make(r->pool, NUM_OID_ELTS, sizeof(char *)); - /* Loop over all extensions, extract the desired oids */ - for (j = 0; j < count; j++) { - X509_EXTENSION *ext = X509_get_ext(xs, j); - - if (OBJ_cmp(ext->object, oid) == 0) { - BIO *bio = BIO_new(BIO_s_mem()); - - if (X509V3_EXT_print(bio, ext, 0, 0) == 1) { - BUF_MEM *buf; - char **new = apr_array_push(val_array); - - BIO_get_mem_ptr(bio, &buf); - - *new = apr_pstrdup(r->pool, buf->data); - } - - BIO_vfree(bio); - } + while ((val = ssl_ext_lookup(r->pool, r->connection, 1, extname, + n++, &len))) { + char **newentry =apr_array_push(val_array); + *newentry = (char *)val; } - X509_free(xs); - ERR_clear_error(); - if (val_array->nelts == 0) return NULL; else david